Why are endpoint security controls on Android devices so lacking when compared to their laptop counterparts? What are the technical challenges to securing Android, and what should you be aware of before signing onto an MDM platform claiming to add security to your business devices.
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Bringing Government and Enterprise Security Controls to the Android Endpoint
1. Optio is a subsidiary of Allied Minds, an innovative U.S. science and technology development and commercialization company. Operating since 2006, Allied Minds forms, funds, manages and builds products and businesses based on
innovative technologies developed at leading U.S. universities and federal research institutions. Allied Minds serves as a diversified holding company that supports its businesses and product development with capital, central
management and shared services. More information about the Boston-based company can be found at www.alliedminds.com.
Bringing Enterprise and Government
Security Controls to the Android Endpoint
March 2016
Dr. Hamilton Turner
Senior Director of Engineering & Research
2. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
About Me
• Working with Android for ~7 years
• Doctorate from Virginia Polytechnic with specialization in
optimizing and securing mobile cloud computing systems
• Senior Director of Engineering and Research
– Responsible for all research initiatives
– Advisor on engineering initiatives in a planning and software
quality control standpoint
– Lead software developer on multiple projects
2
3. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Presentation Overview
• How should a smartphone be secured?
• How are smartphones being secured?
• Why are security controls on smartphones
lagging behind security controls on laptops?
• Our approach to improving Android security
3
4. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
6
How should a smartphone be secured?
Android is a huge, complex
codebase
– Changing code adds bugs
– Changing code is costly
– Too many code modifications
will eventually cause project
failure
Automation helps, but…
– Often it just helps you break
more in less time
5. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Common Enterprise Smartphone Controls
• App wrapping
– Proxy all app communication through a ‘security’ layer
• Containerization
– Create one ‘secure sandbox’ shared by all enterprise apps
• Device administration APIs
– Ask system to enforce security for you
• Mobile Device Management
– A collection of these technologies (not actually a security technology)
7
6. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Application Wrapping
8
• Goal: Intercept every
method call the
application could use to
interact with the system
– Add a ‘decision’ to each
– Choose to
block/allow/modify each
interaction
• No system modifications
Non-wrapped Android Apps
7. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Application Wrapping
9
• Goal: Intercept every
method call the
application could use to
interact with the system
– Add a ‘decision’ to each
– Choose to
block/allow/modify each
interaction
• No system modifications
Wrapped Android Apps
8. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Application Wrapping
10
• Large maintenance burden
– Every single version
– of every single app
– must be wrapped
• “Escaping” is fairly easy
– Exec / Java Reflection
– Unprotected NDK interfaces
– Symbolic links in filesystem
– Internal components e.g. web views
• ‘Security feature’ is inside the sandbox – app
can modify!
• Offers no protection inside the OS
– Once data leaves sandbox, it’s gone
9. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Containerization
• Natural extension of app wrapping
– Most solutions today operate in
app sandbox
– Notable exceptions are Android
For Work-based implementations
• Adds some shared information
into the wrapping logic
– Security keys for data
de/encryption
– Policy decision-making across
entire phone
– User accounts, single-sign on, etc
11
10. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Containerization
• Natural extension of app wrapping
– Inherits concerns about:
• Large maintenance overhead
• Escaping security is fairly easy
• Security is not independent from apps being
secured
• Increased maintenance overhead
– Every version of every app must be
wrapped with the correct container
version
• Improvement: Does offer some
protection from leaky OS
12
11. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Device Administration APIs
• Too simple to cover many use cases
– password length
– screen lock
– require encrypted filesystem
• No app-specific protections
– Once app is installed to ‘managed’
phone, it has full access to managed
data
• No protection from misbehaving
system
13
12. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
14
How should a smartphone be secured?
Android is a huge, complex
codebase
– Changing code adds bugs
– Changing code is costly
– Too many code modifications
will eventually cause project
failure
Automation helps, but…
– Often it just helps you break
more in less time
13. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
15
How are smartphones being secured?
Device
Admin
API
App Wrapping
Containerization
14. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Existing Smartphone Controls
• Large market opportunity and multiple competing
solutions, but existing solutions are all limited
– Not as reliable as traditional laptop controls
– Not as powerful
– Not as user-friendly
• Why?
– Android systems are designed from the bottom-up to have
excellent inter-application communication, and it is widely
used
16
15. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Data Flows: Android versus Laptop
• Data flow on a laptop is strongly tied to the original
application
– E.g. very few apps on the system understand
“powerpoint” files
• Data passing between apps goes through the
system in a well-understood format
– E.g. files
• Very few applications “cross-talk”
– E.g. the browser can download files for you, but it
cannot specifically pass Spotify a message to “favorite
this file I am downloading”
17
16. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Data Flows: Android versus Laptop
• Data on a mobile tends to ‘disperse’
– Android is designed to pass information and commands app-
to-app
– Multiple 3rd-party apps have built entire command/data
pathways
• E.g. http://www.openintents.org/, custom URL schemes
(whatsapp://), standard filesystem on shared external storage
• Data passing between apps goes through the system in
many formats
– “Standardized” Intents, non-standard intents, filesystem,
network sockets, parent process sharing, broadcasts, content
providers, tunneled data inside other formats
• Most applications “cross-talk”
– Almost every application can “share” to a large number of
other apps
– With a few lines of code, apps can send data via Bluetooth,
email, sms, clipboard, QR code, and multiple well-known
network apps
18
17. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Data flows inside Android
• Even inside the OS
• Protecting app-to-app
communication is not
enough!
– Must protect against leaks
inside the system
19
18. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
How should Android be secured?
• Intersection points of ‘few code changes’ and
‘big impact’
– Network access
– Disk access
– Inter-process communication
• The first two are already addressed
• The underlying IPC system on Android is
pervasively used
– By app-to-app communication
– By app-to-system communication
– By system-to-system communication
• Adding security to this mechanism is a win!
20
19. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
21
Benefits of securing Android IPC
• Extremely powerful modification
– Almost all inter-application
communication
– Huge portion of communication
between Android and apps
• Completely invisible to existing code
• Very small impact on existing
codebase
– No new bugs being introduced
• Resistant to future changes
OptioCore
20. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
Example: Stagefright via MMS
• Vector originates in system
• Some MMS apps were
vulnerable, some were not
– Auto-download MMS
settings
• By blocking the dangerous
IPC to vulnerable apps, we
– Prevent the immediate threat
– Buy reaction time for an OTA
– Protect users from a bug in
the system itself
22
SMS
RIL
MediaServer
OMX
22. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
OptioInsight
o Deep visibility into security threats
o Cross-platform security analytics
o Rapid, actionable threat response
o Agile security policy management
o Enterprise user management
o Security reporting
23. CONFIDENTIAL. ALL RIGHTS RESERVED.
Optio is a subsidiary of Allied Minds, an innovative U.S. science and technology development and commercialization company. Operating since 2006, Allied Minds forms, funds, manages and builds products and businesses based on
innovative technologies developed at leading U.S. universities and federal research institutions. Allied Minds serves as a diversified holding company that supports its businesses and product development with capital, central
management and shared services. More information about the Boston-based company can be found at www.alliedminds.com.
Thanks!
Come visit OptioLabs in Booth #5145
24. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.
OptioLabs
Company
OptioLabs is a security insight platform for the mobile
enterprise.
Mission
Secure the mobile enterprise with solutions that adapt
to threats in real time.